15 January 2021

Swedish STANAG-5066 client-application, a look at the DTS sublayer

(Just an update about the "Swedish Army client-application for STANAG-5066" topic)
As said in the previous posts, the users employ the 3G-HF "Circuit Mode" service (STANAG-4538), data are transferred in non-ARQ mode using the STANAG-5066 stack and basic end-to-end transport protocols (UDOP/RCOP). Since the use of 3G-HF, the stations partecipating the netwok synchronously scan the assigned pool of frequencies and transmissions just happen when in need. 
I came across on a transmission, on 4742.0 KHz/USB, that exhibits two features never seen before in the previous transmissions (at least in my case):
● the used HF waveform is STANAG-4539 3200bps (usually they employ 188-110 1200bps along with S-5066 or alone in 8-bit text mode);
● the multiple occurrences of the ASCII string "WVKA" inside a message, which implies a look at the role of the Data Transfer Sublayer (DTS) of STANAG-5066.

Fig. 1 - Multiple occurrences of the string "WVKA", here in block 2 out-of 20

It's noteworthy that, actually, the occurrences are about the half since data are repeated!
Just a reminder for background: in case of a source message that is larger than the MTU (Maximum Transmission Unit) of the S-5066 subnetwork interface (usually <=2048 bytes), the client-application segments the message into n-blocks (A_PDUs) before its submission. The blocks are then encapsulated into the final C_PDUs, which in turn are segmented by the Data Transfer Sublayer (DTS) into smaller 200-byte D_PDUs (PDU stands for Protocol Data Unit).


Fig. 2 - progressive encapsulations and segmentation in S-5066 stack

It's possible to verify that in some circumstances - probably when UDOP protocol is used - segmenting a C_PDU results in duplicate D_PDUs (!), except the first and the last D_PDUs (read below). As clearly shown in Figure 3, the analyzed transmission just matches that case.

Fig. 3 - The duplicated D_PDUs in the block 2 out-of 20 (the same block of Figure 2)

This behavior is easily seen in many transmissions, whether they use S-4539 or 188-110A waveforms: note in Figure 4 that the first D_PDU is repeated only in the first C_PDU, while the last D_PDU is never repeated.

Fig. 4

Where do the duplicate D_PDUs come from? Inspecting the headers in Figure 5, it's possible to note that the "C_PDU Segment Offset" field contains the same value in the pairs of the duplicate D_PDUs. Given that the Segment Offset indicates the location of the first byte of the segment with respect to the start of the C_PDU, it means that the C_PDU (and thus the upper sublayers) does not contain duplicate data, otherwise the Segment Offset fields in the pairs of the duplicate D_PDUs would have contained different values! Thus, in my opinion, the duplicate D_PDUs are originated by the DTS sublayer. Notice that what we see in Figure 5 are the on-air bytes, thus after they have leaved the DTS (see the S-5066 stack in Figure 2).

Fig. 5 - headers of the D_PDUs (each row is a D_PDU, see Figure 2)

Segment Offset fields contains a 200 bytes step values, as expected:
0x0000 =    0
0x00C8 =  200
0x0190 =  400
0x0258 =  600
0x0320 =  800
0x03E8 = 1000

...

The receive node will re-assembly a C_PDU from its segments (the D_PDUs) after they have passed the CRC error-check and have no detectable errors: probably the redundancy is used in this regard. I did not find any reference in the S-5066 standard, at least the one at my disposal, and I tend to exclude possible errors of the S-4539 (or 188-110A) decoder since the same results were obtained using different decoders and different HF waveforms: so, at least in my opinion, the repetition of the D_PDUs could be a custom modification of the code of DTS  (switchable to maintain NATO compatibility) or a new feature added to a recent edition of S-5066. Definitely, even if the latency increases (such transmission mode takes about twice as much time, although they have moved on the 3200 bps of S-4539) the add of redundancy improves the general reliability of the system since S-5066 is used in non-ARQ mode.

As for the string "WVKA", only guesswork can be made: further recordings are in need. For now, I'm going to code a S-5066 dissector to facilitate the reading of the headers...

https://yadi.sk/d/9vqs2DfTOKN1sg
https://yadi.sk/d/s7oyiYaTt406vw 

8 January 2021

4G-ALE Fast WALE (188-141D) and WBHF traffic (188-110D)

A necessary note due to the multiplicity of abbreviations and acronyms:
WBHF: Wideband HF waveforms, as per MIL 188-110D App.D;

3G-ALE: third generation ALE as per 3G-HF STANAG-4538 (FLSU and RLSU protocol);
3GWB: 3G-ALE extensions to the FLSU protocol for wideband operations;
WBALE: (or WB ALE) Harris implementation of 3GWB;
WALE: (or 4G-ALE) wideband ALE as per MIL 188-141D App.G, fourth generation ALE;
(thus, WBALE is not WALE since they use different waveforms)

Thanks to a reporting of my friend Martin G8JNJ, on 4744.0 KHz (the "assigned" ALE frequency) - mostly in the morning -  it is possible to receive transmissions which use 4G-ALE Fast WALE (MIL 188-141D App.G) and WBHF (MIL 188-110D App.D) waveforms: it's the first time for me that I have the canche to "see" and analyze 4G-ALE signals. 

The WALE (4G-ALE) system uses waveforms derived from the WBHF waveforms for its transmissions, and draws ideas from both second- and third-generation ALE for its protocols. The WALE waveforms operate in 3 kHz and provide two interoperable modes for sending PDU – the “Fast” WALE waveform (intended for very fast link setup in voice-quality channels) and the “Deep” WALE waveform (designed for operation in the most challenging channels, including SNR < 0dB). The choice between Fast or Deep WALE can be made on a call-by-call basis as receivers listen to both types of WALE calls, as well as 3G & 2G ALE calls for simultaneous operation with existing narrowband circuits.[1]

In the recorded session shown in Figure 1, the transmissions consist of two-way 4G-ALE handshakes followed by data transfers using ARQ method and WBHF waveforms: the bursts following the last ACQs are probably an EOM signaling given that the following session begins with a 4G-ALE handshake. Since the strong signals in the analyzed sample, I can't say if it's a bidirectional link. 

Fig. 1

The WALE waveforms employ PSK8 modulation of an 1800 Hz subcarrier at a rate of 2400 symbols per second. The Fast WALE waveform is designed to set up links quickly in relatively good channels (voice quality or better). The two more dense states in the phase plane of Figure 2 are due to the fact that each bit of WALE data is sent using PSK2 (transcoded to PSK8 symbols and then scrambled by modulo 8 addition).

Fig. 2 - Fast WALE bursts
 

Quoting 188-141D "Each Fast WALE transmission shall begin with zero or more TLC blocks, or a Capture Probe in an asynchronous-mode call or termination, followed by the Fast WALE acquisition preamble, followed by one or more coded and interleaved WALE PDUs. The coded and interleaved bits of each WALE PDU shall be sent in alternating blocks of unknown (PDU) symbols and known (probe) symbols as shown in Figure G-9."
In the analyzed samples (synchronous calls) there are zero TLC blocks and no Capture Probe but, although Fast WALE uses a preamble consisting of nine 32-symbol Walsh sequences, according to my measurements, the preambles consist of seven sequences for a total of (7x32) + 32 + 96 +32 + 96 + 32 = 512 PSK symbols.

Fig. 3 - Fast WALE waveform

The traffic segments are PSK8 modulated at symbol rate of 9600Bd, ACF value is 120ms that makes a 3456-bit length period or 1152 PSK8 symbols (Figure 4): the frame structure (Figure 5) matches the waveform #7 of 188-110D App.D ie, 1024 Unknow symbols (3072 bit) + 128 Known symbols (384 bit). 

Fig. 4 - WBHF waveform #7

Fig. 5

The bursts I termed as "EOM" also employ PSK8 modulation at symbol rate of 9600 Baud, but they show a frame length of 1504 symbols (Figure 6), maybe due to the modulation method used for those messages (PSK8 is as they appear on-air).

Fig. 7

[1] https://www.rapidm.com/wp-content/uploads/2018/10/RM10_WBHF_EN.pdf

https://yadi.sk/d/FkvzXFHKLL0Rbw
 

27 December 2020

async 5N1.5 STANAG-4481F in cleartext

Yet another interesting STANAG-4481F signal, this time operated in async 5N1.5 mode and in cleartext(!): first time I see a not encrypted S-4481F transmission (obviously except FABs/CARBs). Signal spotted on 11123.55 KHz (CF) at 2220Z a few days ago (24th Dec) thanks to the AI6VN/KH6 KiwiSDR at Kahakuloa, Maui, HI.

Fig. 1

Curiously, since the poor quality of the signal, the bitstream sometimes appears as 5N1 and sometimes as 5N2 (Figure 2).

Fig. 2 - 5N1 and 5N2 bitstreams

The decoded text concerns the AOMSW exercise in the Arabian Gulf on December 21 [1] and since the title ("Navy News Stories of the day" ) and the text, I think it's probably a kind of "press review" for the fleet at sea. 

Fig. 3 - decoded text

Don't know which USN/NATO station operates on that frequency (11223.55 KHz, CF) and unfortunately I went late on that transmission so I didn't have time to DF the signal.

[1] https://www.centcom.mil/MEDIA/NEWS-ARTICLES/

https://yadi.sk/d/ZWGnhaEtwStUmQ 
https://yadi.sk/d/rkR8ritYr1C_bQ 

22 December 2020

An odd STANAG-4481F link

Odd STANAG-4481F transmissions consisting of (apparently) continuous KG-84/KIV-7 64-bit sync sequence, spotted on 11222.0 Khz (CF): this is the first stime I hear S-4481F on that frequency. These transmissions have been going on h24 for days and always keeping the same modality.

Fig. 1 - note the oscillations during the mark-space switch

As pointed out by my friend cryptomaster, although k500 decoder recognizes the KG-84 64-bit sync sequence, actually the stream consists of the 63-bit m-sequence generated by the polynomial x^6+x^5+1, or its counterpart x^6+x+1 (Figure 2); this way, the KG-84 sync sequence is obtained by adding one "1" bit. Otherwise, the KG-84 sync sequence may be obtained assuming (as the decoder does) the last bit "1" of the sequence n as the first bit of the sequence n+1, i.e. as if that bit were "in common" bewteen two consecutive sequences (Figure 3). In a few words, decoders are tricked by that 63-bit sequence.
In my opinion, the choice to send that m-sequence is not a "casual" one - they could have used any other test pattern - but raher it's a deliberate choice since its closeness to the KG-84 sync sequence (just one bit) and the fact that KG-84 is largely used in S-4481F links. Interestingly, the stream resulting after the removal of the scrambler consists of  bits all set to "1"; as above, they could have used any other scrambler polynomial.
 
Fig. 2
Fig. 3
 
Fig. 4 - a STANAG-4481F decoder working the 11222.0 KHz transmission

It's difficult to say what it is exactly: maybe tests in view of the setup of a new link,  a frequency marker or maybe some trials. Every attempt to find the Tx site by using TDoA method is different, almost surely it's somewhere in the North-East of US, most likely NSS/AFA Davidsonville (Figure 5).
I will update the post as soon as something new comes out. 
 
Fig. 5a - according to these DF attempts, TX seems located north of Baltimore (likely Davidsonville)
Fig. 5b - other TDoA attempt obtained by selecting receivers from east to west (...still Davidsonville)
 

16 December 2020

Unid MFSK-13 system

Unid MFSK-13 system running at different speeds (31/62.5/125 Baud) and intervals (125/250 Hz) spotted on Twente WebSDR on ~10625, ~9091, ~7779 KHz/USB thanks to friend radiotehnikaT101

Fig. 1
Fig. 2

It's to be noticed the quick change of the waveform in the 10625 KHz recording (from 31Bd/250 to 125Bd/126): maybe the first part could be the "call" segment. I tried a rough demodulation by replacing the Hex characters (0...C) with their binary value (0000...1100) but I didn't find anything interesting in the bitstreams except some patterns in the 31Bd/250 segment (88/176 bit period).
Most likely  these are experimental transmissions in the network of the Ministry of Foreign Affairs of the Russian Federation. 

Fig. 3

https://yadi.sk/d/ShwOzo4-qA6Ygg
https://yadi.sk/d/oAWEbU54GvHljQ 

11 December 2020

unid 216-bit Initialization Vectors

 

Interesting MIL 188-110A segments which transport encrypted data. The bitstreams corresponding to the eigth segments - after 110A removal - are shown in Fig. 2; unless segments e and f, each bitstream consists of an initial block followed by encrypted data.

Fig. 2 - demodulated bitstreams

The initial blocks consist of a 216-bit (27 bytes) sequence, most likely the initialization vector, which is 3 times repeated: obviously, the initialization vectors are different in each segment. It's to be notice thatsegment h (the last) is preceeded and followed by 3G-HF Fast Link Setup bursts (FLSU, BW5 waveform); most likely it's an incomplete recording of a 3G-HF Circuit Service mode using 110A.

Fig. 3 - 3x216-bit IV

https://yadi.sk/d/Iu7LUbo_9klFRg

30 November 2020

unid 200Bd/400 MFSK-4

Yet another interesting signal sent me by my friend Eddy from Australia. The transmission has been recorded on 16320.0 KHz/USB at 0520Z and consists of 200Bd/400 FSK-4 segments (the signal in between does not carry information). Figure 1 shows the measurement of the relevant FSK parameters. 

Fig. 1

The first two segments A,B (the shorter ones) could probably act as selcall. Indeed, after the removal of the polynomial x^5+x^4+x+1, the stream exhibits an interesting 8-bit structure where repeated initial patterns can be seen.

Fig. 2

The longest segment has an interesting structure. In my opinion, the initial part is formed of a 118-bit initial sequence followed by a block consisting of a 192-bit (24 bytes) sequence which is four times repeated; probably it's the synch + initialization vector section of the message.

Fig. 3

After the removal of the initial part, the stream shows a 504-bit period but with several alternate sequences (Fig. 4). The same 8-bit structure is visible after the removal of the polynomial x^5+x^4+x+1 (Fig. 5 ). Most likely it's a Chinese waveform, although there are not more informations about it. Recently these transmissions have also been listened on the Twente websdr (and just on the same frequency).

Fig. 4
 
Fig. 5

 
https://yadi.sk/d/nECimsqDQuy1hw

24 November 2020

unid 200Bd/400 FSK bursts

Interesting 200Bd/400 FSK bursts heard on 12087.4 KHz/USB and reported by my friend Eduard (Eddy) Waters from Australia. The bitstream consists of repeated sequences of 32 bit; I did not find a suitable polynomial.

Fig. 1

Probably a kind of telecontrol sending the same values, for example 4-bit groups (assuming 1001 as the first group):
1001 0011 0001 1101 1011 0010 1100 1100
1001 0011 0001 1101 1011 0010 1100 1100
1001 ...
or groups of 8/16 bits.

Fig. 2

We wonder what that was all about, seems strange it has not come back on.

https://yadi.sk/d/-emC-NSD_0c8Bg

18 November 2020

unid 318000Bd/228 GFSK (UHF)

Unid 318000Bd/228 GFSK spotted on 428 MHz and sent me by a friend of mine

Fig. 1

After the removal of the scrambler x^9+x^4+1, the bitstream shows an interesting 228-bit (or 12 x 19-bit groups) period.

Fig. 2 - 19-bit grouped stream
 
Fig. 3 - 228-bit period stream


https://yadi.sk/d/Ztlm4dzYC7UCuA

13 November 2020

OFDM 17-tone PSK4 62.5 Bd, "struna" HF (струна)

Heard on 10994.0/USB (10995.5 CF) starting from 1020Z on Twente WebSDR. That "Struna" HF waveform consists of OFDM 17-tone modulation using PSK4 at 62.5 Bd, tones are 62.5 Hz spaced. Struna transmissions take place on a pool of frequencies at .10, .20 and. 30 minutes every hour. Thanks to cryptomaster for the tip and radiotehnikaT101 for warning about the on-air signal presence.

 

https://yadi.sk/d/byshR4UAz-BAAQ